Fact check your "Fact check":
Maybe YOUR VPN doesn't encrypt. But a good VPN does encrypt data regardless if its already encrypted with SSL. Why else would you need to keep up with a secret key or identity for some VPNs? That key is used to asymmetrically encrypt data client side so the VPN can decrypt and forward to the destination.
Many corporations don't use SSL for internal websites because those are only accessible via the corporate VPN anyways and thus traffic is already encrypted by the VPN.
Agree that VPN marketing tends to oversell the effectiveness of this encryption. For example, if the SSL keys are leaked from the sites you visit, then all your requests during the session who's keys were leaked is now able to be SSL decrypted and read. This is because the VPN decrypts the data before sending to the destination who handles the SSL decryption.
The VPN encryption really only obfuscates the data from your ISP and any other middlemen between the VPN client and server.
A VPN that doesn't encrypt is just a proxy.
To clarify what I mean by this - the data encryption is redundant and unnecessary, and it implies that the data wasn’t already encrypted to begin with.
reply
The encryption VPNs do is not redundant because you cannot assume all data is encrypted. Furthermore, it is not unnecessary because it has the effect of obfuscating data from your ISP.
reply
What’s an example of non encrypted data you’re thinking of?
reply
reply
Yeah, some websites don't automatically redirect to HTTPS when you intentionally go out of your way to use HTTP. By default, they're either HTTPS, or they're static and not accepting data in the first place.
FWIW, this list is pretty out of date, you can check it out for yourself.
If your website doesn't automatically redirect to HTTPS, the worst thing that can happen is, you're on a network with an evesdropper, they send you a phishing link that's HTTP, you click on it, and type in a password that they can see. Maybe there's a reason you're being targeted, but in that case, a) you probably know how to look out for phishing, and b) there are more effective attacks you can attempt to steal someone's password besides trying to spy on unencrypted traffic.
Also, if your website doesn't automatically redirect to HTTP, I can guarantee you're getting 2-3 emails every month from some bug bounty researcher about it.
reply